I have lost the superadmin password. What to do ?

Article Id: 125716
Status: Published
Updated On: 01-02-2019 08:05
Products:
CA Virtual Privilege Manager , CA Privileged Identity Management Endpoint (PIM) , CA Privileged Access Manager (PAM)
Issue/Introduction:

The superadmin user in PIM is used to access the ENTM environment and therefore, losing its password may render the management GUI unusable unless other users are provisioned with similar privileges. 

 

Can I reset or change the password of the superadmin account if I lost it after installation ?

Environment:

CA PIM 12.X, 14.X and CA PAM SC 14.X ENTM on Windows

A very similar procedure applies to UNIX

Resolution:

The superadmin password is encrypted and may not be retrieved in clear text, so the only thing we can do is to encrypt it again using a tool called pwdTools 

C:\Program Files\CA\AccessControlServer\IAM Suite\Access Control\tools\PasswordTool\PwdTools.bat 

You may need to edit it to set the JAVA_HOME environment 

The command: 

PwdTools.bat -FIPS -p password -k 
"C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPSkey.dat" 

will encrypt the phrase 'password' using your JBoss FIPS key. For example: 

Plain Text: password 
Encrypted value: {AES}:4zERcmCrsLJtiuDaiygdmA== 

This is will only encrypt the new password to text. It then needs to be replaced in the Database that you are using as a user store. 

The procedure will then depend on whether this is  Active Directory (AD) or  SQL.

If the user store is in SQL there is a table called tblusers which contains the information of the users 

First look at the existing passphrase to compare: 

SQL> select password from tblusers where loginid='superadmin'; 

PASSWORD 
-------------------------------------------------- 
{AES}:JIZqLtFyvf6at0VM3nVjdg== 

Assuming you know the password for superadmin, running this command should yield a result which should be the same as the encrypted password obtained following the procedure above. For instance if the superadmin password were 'password' then both the query result and the PwdTools.bat result should be  {AES}:4zERcmCrsLJtiuDaiygdmA== 

If both results are different, it means that the superadmin password stored is different from the one that we want to set and so we would update the database to use the new encrypted passphrase: 

SQL> update tblusers set password='{AES}:4zERcmCrsLJtiuDaiygdmA==' where loginid='superadmin'; 
SQL> commit; 

If AD is used as a user store, you can export ac-dir.xml through the Identity Manager management console page, idmmanage and then you can replace the encrypted password in this xml with the password encrypted with PwdTools.bat as explained above.  Then you import ac-dir.xml again into PIM. 

Note that the Identity Manager page is not enabled by default. If you need to access it you need to follow this procedure 

https://docops.ca.com/ca-privileged-identity-manager/12-9-01/EN/implementing/using-the-ca-identity-manager-management-console/enable-the-ca-identity-manager-management-console 

After following it, idmmanage is accessible as

http://<pim_server>:18080/idmmanage  or https://<pim_server>:18443/idmmanage

depending on whether you are using ssl or not.

There you can export the ac-dir.xml if you need to follow the procedure above